A recent project needed a vulnerability scanner that could be deployed to a variety of clients and their networks to do a vulnerability scan. This would act as one component of a larger activity to ensure a secure system for credit card handling.
The goal was to look at the network like an attacker would. Find open services and detect if they had known vulnerabilities. There are a variety of open source and commercial products for doing vulnerability scans but I decided to focus efforts on OpenVAS a well recognized helpful tool for adminstrators needing to identify potential security issues on their networks.
As part of the effort I wanted to evaluate the use of this tool on a Raspberry Pi. Turns out it can work for single host scanning but has some limitations for larger network scans.
The Install OpenVAS for Broad Vulnerabilty Assessment guide by Barrow on Null-Byte Wonder How To is still relevant as of May 2018 for the RPI Kali 2018.02 as put out by the Offensive Security team.
There were a few false starts as I learned a few gotchas of both the Kali linux and OpenVAS. My basic checklist I ran through to get a happy OpenVAS on my RPi using a 16GB SD card:
apt update && apt upgrade --yes && apt dist-upgrade --yes
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart
fdisk /dev/mmcblk0
resize2fs /dev/mmcblk0p2
apt install htop lsof
apt-get install -y openvas
openvas-setup # wait a long time
# capture the admin password generated
openvas-start # should auto launch your web browser
# if not go to https://127.0.0.1:9392/
# and login using admin/(password)
Once web GUI is up you can create a new scan job using the Task Wizard found via:
Scans -> Tasks -> Purple Wand Icon -> Task Wizard
Use the wizard to create a scan for your target system using it’s IP or DNS name. Doing a single system scan worked well for me, it took a long while to get through all 60,000 Network Vulnerability Tests, but did complete and allow me to review the report.
I did this process using the RPi with Kali as a desktop workstation. It became quickly apparent that the RPi struggles to provide the OpenVAS administrator website (Greenbone Security Assistant). Patience is required after a click while you wait for the action to be processed and the page rendered.
The full scan of a single system took about two hours. Not great but not too shabby if you have a focused target to check.
After validating a single IP scan worked well wanted a full home network scan. The task wizard can take a CIDR address for a target: 192.168.16.0/24
.
My home network has about 25 devices on it and the initial scan task died before it got even to 2%. I tried a few different runs trying to debug what was going on before I realized the Pi was just running out of resources and killing random processes (the scanner, the website, firefox tabs, terminals).
This is because the default for a new scan is to scan 30 hosts concurrently with up to 10 Network Vulnerability Tests (NVT) per host. This 30/10 combo clearly was way out of line for the amount of RAM a RPi brings to the table.
I then switched to 1 host 5 NVTs (1/5) and unleashed that for a day. That plugged along and got to about 30% completion after 24 hours. During time I monitoring the resources (htop) and noticed there was still spare CPU cycles and RAM available.
Switched to 3 hosts 7 NVTs (3/7) and saw it get to about 50% in 24 hours - there appeared to be times when there was still spare RAM and CPUs.
One more twiddle to three hosts and 10 NVTs (3/10) and I saw crashing behavior again.
At this point I realized the RPi vulnerability scanning (based on OpenVAS) is both viable but not recommended for those hoping to do a quick deploy, full network scan, and demobilization. It just takes too long to do full network scan.